Automated Termination Analysis for Logic Programs with Cut∗

Automated Termination Analysis for Logic Programs with Cut∗

PETER SCHNEIDER-KAMP

Dept. of Mathematics and Computer Science, University of Southern Denmark, Denmark

J ¨URGEN GIESL, THOMAS STR ¨ODER

LuFG Informatik 2, RWTH Aachen University, Germany

ALEXANDER SEREBRENIK

Dept. of Mathematics and Computer Science, TU Eindhoven, The Netherlands

REN ´E THIEMANN

Institute of Computer Science, University of Innsbruck, Austria

Abstract

Termination is an important and well-studied property for logic programs. However, al- most all approaches for automated termination analysis focus on definite logic programs, whereas real-worldPrologprograms typically use thecut operator. We introduce a novel pre-processing method which automatically transforms Prolog programs into logic pro- grams without cuts, where termination of the cut-free program implies termination of the original program. Hence after this pre-processing, any technique for proving termina- tion of definite logic programs can be applied. We implemented this pre-processing in our termination proverAProVEand evaluated it successfully with extensive experiments.

KEYWORDS: automated termination analysis, cut, definite logic programs

1 Introduction

Automated termination analysis for logic programs has been widely studied, see, e.g., (Bruynooghe et al. 2007; Codish et al. 2005; De Schreye and Decorte 1994;

Mesnard and Serebrenik 2007; Nguyen et al. 2010; Schneider-Kamp et al. 2009;

Serebrenik and De Schreye 2005). Still, virtually all existing techniques only prove universal¹ termination ofdefinitelogic programs, which do not use thecut “!”. An exception is (Marchiori 1996), which transforms “safely typed” logic programs to term rewrite systems (TRSs). However, the resulting TRSs are complex and since

∗Supported by the Deutsche Forschungsgemeinschaft (DFG) under grant GI 274/5-2, the DFG Research Training Group 1298 (AlgoSyn), and the Danish Natural Science Research Council.

1 Universal termination means that all answers are found after a finite number of derivation steps. Unfortunately, up to now there was hardly any automated technique to prove the at least equally interesting property ofexistential termination (i.e., finite failure or thefirst answer is found after a finite number of derivation steps). Note that if one can handle the cut then one also immediately obtains a method to prove existential termination. The reason is that a query Qis existentially terminating iffQ,! is universally terminating.

there is no implementation of (Marchiori 1996), it is unclear whether they can be handled by existing TRS termination tools. Moreover, (Marchiori 1996)’s method does not allow arbitrary cuts (e.g., it does not operate on programs like Ex. 1).

In the present paper, we introduce a novel approach which shows that universal termination of logic programs with cuts can indeed be proved automatically for (typically infinite) classes of queries. This solves an important open problem in automated termination analysis of logic programs.

Example 1

We want to prove termination of the following program for the class of queries {div(t1, t2, t3)|t1, t2 are ground}. Since we only regard programs without pre-defined predicates, the program contains clauses defining predicates for failure and equality.

So the atomfailure(a) always fails and corresponds toProlog’s pre-defined “fail”.

div(X,0, Z) ← !,failure(a). (1) div(0, Y, Z) ← !,eq(Z,0). (2) div(X, Y,s(Z)) ← sub(X, Y, U),div(U, Y, Z). (3)

failure(b). (4)

eq(X, X). (5)

sub(0, Y,0). (6)

sub(X,0, X). (7)

sub(s(X),s(Y), Z) ← sub(X, Y, Z). (8)

Any termination analyzer that ignores the cut fails, as div(0,0, Z) would lead to the subtraction of0and start an infinite derivation using Clause (3). So due to the cut, (universal) termination effectively depends on the order of the clauses.

There are already several static analysis techniques for logic programming with cut, e.g., (Fil´e and Rossi 1993; Mogensen 1996), which are based on abstract inter- pretation (Cousot and Cousot 1992; Le Charlier et al. 1994; Spoto and Levi 1998).

However, these works do not capture termination as an observable and none of these results targets termination analysis explicitly. While we also rely on the idea of abstraction, our approach does not operate directly on the abstraction. Instead, we synthesize a cut-free logic program from the abstraction, such that termination of the derived program implies termination of the original one. Thus, we can benefit from the large body of existing work on termination analysis for cut-free programs.

Our approach is inspired by our previous successful technique for termination anal- ysis of Haskell programs (Giesl et al. 2006), which in turn was inspired by related approaches to program optimization (Sørensen and Gl¨uck 1995).

In Sect. 2, we introduce the required notions and present a set of simple inference rules that characterize logic programming with cut for concrete queries. In Sect. 3 we extend these inference rules to handleclassesof queries. Using these rules we can automatically build so-called termination graphs, cf. Sect. 4. Then, Sect. 5 shows how to generate a new cut-free logic program from such a graph automatically.

Of course, one can transform any Turing-complete formalism like logic program- ming with cuts into another Turing-complete formalism like cut-free logic program- ming. But the challenge is to develop a transformation such that termination of the resulting programs iseasy to analyze by existing termination tools. Our imple- mentation and extensive experiments in Sect. 6 show that with our approach, the resulting cut-free program is usually easy to handle by existing tools.

2 Concrete Derivations

See e.g. (Apt 1997) for the basics of logic programming. We distinguish between individual cuts to make their scope explicit. So a signature Σ contains all predicate and function symbols and all labeled versions of the cut {!m/0 | m ∈ N}. For simplicity we just consider termsT(Σ,V) and no atoms, i.e., we do not distinguish between predicate and function symbols. To ease the presentation, in the paper we exclude terms with cuts !m as proper subterms. Aclause is a pair H ←B where thehead H is from T(Σ,V) and the body B is a sequence of terms from T(Σ,V).

LetGoal(Σ,V) be the set of all such sequences, where2is the empty goal.

Aprogram P (possibly with cut) is a finite sequence of clauses.Slice(P, t) are all clauses fort’s predicate, i.e., Slice(P, p(t1, ..., tn)) ={c|c= “p(s1, ..., sn)←B”∈ P}.

A substitutionσis a function V → T(Σ,V) and we often denote its application to a term t by tσ instead of σ(t). As usual, Dom(σ) = {X | Xσ 6= X} and Range(σ) ={Xσ|X ∈Dom(σ)}. The restriction ofσtoV⁰⊆ Visσ_|V0(X) =σ(X) ifX∈ V⁰, andσ_|V0(X) =X otherwise. A substitutionσis themost general unifier (mgu) ofsandtiffsσ=tσand, wheneversγ=tγ for someγ, there exists aδsuch that Xγ =Xσδ for allX ∈ V(s)∪ V(t). Ifsand t have no mgu, we writes6∼t.

Finally, to denote the term resulting from replacing all occurrences of a function symbolf in a termtby another function symbol g, we write t[f /g].

Now we recapitulate the operational semantics of logic programming with cut.

Compared to other formulations like (Andrews 2003; Billaud 1990; de Vink 1989;

Kulas and Beierle 2000; Spoto 2000), the advantage of our formalization is that it is particularly suitable for an extension toclasses of queries in Sect. 3 and 4, and for synthesizing cut-free programs in Sect. 5. A formal proof on the correspondence of our inference rules to the semantics of thePrologISO standard (Deransart et al.

1996) can be found in (Str¨oder 2010).

Our semantics is given by 7 inference rules. They operate onstateswhich repre- sent the current goal, and also the backtrack information that is needed to describe the effect of cuts. The backtrack information is given by a sequence of goals which are optionally labeled by the program clause that has to be applied to the goal next. Moreover, our states also contain explicitmarks for the scope of a cut.

Definition 1 (Concrete State)

Aconcrete state is a sequence of elements fromGoal(Σ,V)∪(Goal(Σ,V)×N×N)∪ {?n|n∈N}, where elements are separated by “|”.State(Σ,V)is the set of all concrete states.

So an element of a state can be Q ∈ Goal(Σ,V); or a labeled goal Qⁱ_m ∈ Goal(Σ,V)×N×Nrepresenting that we must apply thei-th program clause toQ next, wheremdetermines how a cut introduced by the body of thei-th clause will be labeled; or ?m. Here, ?m serves as a marker to denote the end of the scope of cuts !_m labeled withm. Whenever a cut !_m is reached, all elements preceding ?_m are discarded.

Now we express derivations in logic programming with cut by seven rules. Here, S andS⁰ are concrete states and the goalQmay also be2(then “t, Q” is t).

Definition 2 (Semantics with Concrete Inference Rules)

2|S

S (Suc) ^?m|S

S (Fail) ^{!m, Q|S|?m|S}

0

Q|?m|S⁰ (Cut) where S con- tains no ?m

!m, Q|S Q (Cut)

where S con- tains no ?m

t, Q|S

(t, Q)ⁱ_m¹ |. . .|(t, Q)ⁱ_m^k|?m|S ^(Case)

wheretis neither a cut nor a variable,m is greater than all previous marks, and Slice(P, t) = {ci₁, . . . , ci_k} with i1 <

. . . < ik

(t, Q)ⁱ_m|S

B⁰_iσ, Qσ|S ^(Eval) where

ci=Hi←Bi, mgu(t, Hi) =σ, B_i⁰=Bi[! /!m].

(t, Q)ⁱ_m|S

S (Backtrack) where c_i=H_i←B_i andt 6∼ Hi. The Suc rule stands for “success” and it is applicable if the first goal of our sequence could be proved. As we handle universal termination, we then have to backtrack to the next goal in the sequence. Failmeans that for the current m-th case analysis, there are no further backtracking possibilities. This rule is applicable if ?m is the first element of our backtracking sequence. But the whole derivation does not have to fail, since the state S may still contain further alternative goals which have to be examined.

To make the backtracking possibilities explicit, the resolution of a program clause with the first atom t of the current goal (corresponding to Prolog’s left-to-right selection rule) is split into two operations. The Case analysis determines which clauses could be applied to t by slicing the program according to t’s root sym- bol. It replaces the current goal (t, Q) by a goal labeled with the index i₁ of the first such clause and adds copies of (t, Q) labeled by the indices i2, . . . , ik of the other potentially applicable clauses as backtracking possibilities. Additionally, these goals are labeled by a fresh mark m ∈ N that is greater than all previ- ous marks, and ?m is added at the end of the new backtracking goals to denote

div(0,0, Z) Case div(0,0, Z)11|div(0,0, Z)21|div(0,0, Z)31|?1

!1,failure(a)|div(0,0, Z)21|div(0,0, Z)31|?1 Eval id

failure(a)|?1 Cut

failure(a)42|?2|?1

Case

?2|?1 Backtrack

Fail ?1

Fail ε

the scope of cuts. For instance, consider the program of Ex. 1 and the query div(0,0, Z). This query is represented by the concrete state consisting of just the goal div(0,0, Z). Here, we obtain the se- quence depicted at the side. The

Case rule results in a state which represents a case analysis where we first try to apply the firstdiv-clause (1). When backtracking later on, we use clauses (2) and (3).

For a goal (t, Q)ⁱ_m, ift unifies with the headHi of the corresponding clause, we applyEval. This rule replacestby the bodyBiof the clause and applies the mgu σto the result. When depicting rule applications as trees, the corresponding edge is labeled withσ|_V(t). All cuts occurring inB_i are labeled withm. The reason is that if one reaches such a cut, then all further alternative goals up to ?mare discarded.

Iftdoes not unify withHi, we apply theBacktrackrule. Then, Clauseicannot be used and we just backtrack to the next possibility in our backtracking sequence.

Finally, there are two Cutrules. The first rule removes all backtracking infor- mation on the level m where the cut was introduced. Since the explicit scope is represented by !mand ?m, we have turned the cut into alocal operation depending solely on the current state. Note that ?_m must not be deleted as the current goal Qcould still lead to another cut !m. The secondCutrule is used if ?m is missing (e.g., if a cut !_mis already in the initial query). Later on, such states can also result from the additional Parallel inference rule which will be introduced in Sect. 4.

We treat such states as if ?_mwere added at the end of the backtracking sequence.

So to apply the cut !1in our example, we remove all subsequent elements in the list up to ?₁. So we remove the backtracking goalsdiv(0,0, Z)²₁anddiv(0,0, Z)³₁and obtain the statefailure(a)⁴₂|?1, which eventually fails. Note that due to the cut, we did not have to backtrack using the otherdiv-clauses.

Note that these rules do not overlap, i.e., there is at most one rule that can be applied to any state. The only case where no rule is applicable is when the state is the empty sequence (denotedε) or when the first goal starts with a variable.

The rules of Def. 2 define the semantics of logic programs with cut using states.

They can also be used to define the semantics using derivations between goals:

there is a derivation from the goalQtoQ⁰ in the programP (denotedQ`<sup>∗</sup><sub>P,θ</sub>Q<sup>0</sup>) iff repeated application of our rules can transform the state<sup>2</sup> Q to a state of the form Q<sup>0</sup> |S for someS, andQ<sup>0</sup> results fromQ<sup>0</sup> by removing all labels. Moreover, θ = θ<sub>1</sub>θ<sub>2</sub>. . . θ<sub>n</sub> where θ<sub>1</sub>, . . . , θ<sub>n</sub> are the mgu’s used in those applications of the Evalrule that led toQ<sup>0</sup>. We callθ<sub>|V(Q)</sub>the corresponding answer substitution. If θ is not of interest, we write`_P instead of`_P,θ.

Consequently, our inference rules can be used for termination proofs: If there is an infinite derivation (w.r.t.`P) starting in some goalQ, then there is also an infinite sequence of inference rule applications starting in the state Q, i.e., Q is a “non- terminating state”. Note that we distinguish derivations in logic programming (i.e., Q`P Q⁰ for goalsQandQ⁰) from sequences of states that result from application of the inference rules in Def. 2. If a state S can be transformed into a stateS⁰ by such an inference rule, we speak of a “state-derivation”.

3 Abstract Derivations

To representclasses of queries, we introduceabstract terms, i.e., terms containing two kinds of variables. Let A be the set of abstract variables, where each T ∈ A represents a fixed but arbitrary term.N consists of all “ordinary” variables in logic programming. Then, as abstract terms we consider all terms from the setT(Σ,V) whereV =N ]A.Concrete termsare terms fromT(Σ,N), i.e., terms containing no abstract variables. For any set V⁰⊆ V, letV⁰(t) be the variables fromV⁰ occurring in the termt.

To determine by which terms an abstract variable may be instantiated, we add a knowledge base KB = (G,U) to each state, where G ⊆ Aand U ⊆ T(Σ,V)×

2 IfQcontains cuts, then the inference rules have to be applied toQ[!/!1] instead ofQ.

T(Σ,V). The variables inGmay only be instantiated by ground terms. And (s, s⁰)∈ U means that we are restricted to instantiations γ of the abstract variables where sγ6∼s⁰γ, i.e.,sands⁰ may not become unifiable when instantiating them withγ.

Definition 3 (Abstract State)

The set of abstract states AState(Σ,N,A) is a set of pairs (S;KB) of a concrete stateS∈State(Σ,N ∪ A) and a knowledge base KB.

A substitutionγ is aconcretization of an abstract state if it respects the knowl- edge base (G,U). So first, γ instantiates all abstract variables, i.e.,Dom(γ) =A.

Second, when applyingγ, the resulting term must be concrete, i.e.,V(Range(γ))⊆ N. Third, abstract variables from G may only be replaced by ground terms, i.e., V(Range(γ_|G)) =∅. Fourth, for all pairs (s, s⁰)∈ U, sγands⁰γ must not unify.

Definition 4 (Concretization)

A substitutionγ is aconcretization w.r.t. (G,U) iffDom(γ) =A, V(Range(γ))⊆ N,V(Range(γ_|G)) =∅, andsγ6∼s⁰γfor all (s, s⁰)∈ U. The set of concretizations of an abstract state (S;KB) isCon(S;KB) ={Sγ|γis a concretization w.r.t.KB}.

Example 2

Consider the abstract state which consists of the single goalsub(T1, T2, T3) and the knowledge base ({T1, T2},{(T1, T3)}), withTi ∈ Afor alli. So hereG={T1, T2}and U only contains (T₁, T₃). This represents all concrete statessub(t₁, t₂, t₃) wheret₁, t₂ are ground terms and wheret1andt3do not unify, i.e.,t3does not matcht1. For ex- ample,sub(0,0, Z) is not represented as0andZ unify. In contrast,sub(s(0),s(0),0) and sub(0,0,s(0)) are represented. Note thatsub(s(0),s(0),0) can be reduced to sub(0,0,0) using Clause (8) from Ex. 1. But Clause (8) cannot be applied to all concretizations. For example, the concrete state sub(0,0,s(0)) is also represented by our abstract state, but here no clause is applicable.

Ex. 2 demonstrates that we need to adapt our inference rules to reflect that sometimes a clause can be applied only for some concretizations of the abstract variables, and to exploit the information from the knowledge base of the abstract state. We now adapt our inference rules to abstract states that represent sets of concrete states. The invariant of our rules is that all states represented by the parent node are terminating if all the states represented by its children are terminating.

(We now also permit rules leading to more than one child node.) Definition 5 (Sound Rules)

An abstract state is called terminating iff all its concretizations are terminating.

A rule ρ : AState(Σ,N,A) → 2^{AState(Σ,N,A)} is sound if (S;KB) is terminating whenever all (S⁰;KB⁰)∈ρ(S;KB) are terminating.

To prove the soundness of our adapted inference rules, we will ensure that they all satisfy the followingsimulation property for every abstract state (S;KB) and each of its concretizationsSγ∈ Con(S;KB): If the concrete stateSγcan be transformed into a concrete stateRby a concrete inference rule, then the abstract state (S;KB) can be transformed into an abstract state (S⁰;KB⁰), such thatRis a concretization

of the state (S⁰;KB⁰), i.e., R ∈ Con(S⁰;KB⁰). Note that the simulation property implies the soundness of the abstract rules. If (S;KB) were non-terminating, then one of its concretizations Sγ ∈ Con(S;KB) would also be non-terminating. But by the soundness of the concrete rules, then R (i.e., one of the concretizations of (S⁰;KB⁰)) would be non-terminating as well, which implies non-termination of (S⁰;KB⁰).

The rulesSuc,Fail,Cut, andCasedo not change the knowledge base and are, thus, straightforward to adapt. Here,S|S⁰;KB stands for ((S|S⁰);KB).

Definition 6 (Abstract Inference Rules – Part 1 (Suc,Fail,Cut,Case)) 2|S;KB

S;KB ^(Suc)

?m|S;KB S;KB ^(Fail)

!m, Q|S|?m|S⁰;KB Q|?m|S⁰;KB ^(Cut)

where S contains no ?m

!m, Q|S;KB Q;KB ^(Cut)

where S contains no ?m

t, Q|S;KB

(t, Q)ⁱ_m¹ |. . .|(t, Q)ⁱ_m^k|?m|S;KB ^(Case)

where t is neither a cut nor a vari- able, m is greater than all pre- vious marks, and Slice(P, t) = {ci₁, . . . , ci_k}withi1< . . . < ik

For Suc, Fail, Cut and Case, again at most one of the rules is applicable.

For the concrete Evaland Backtrackrules, in Def. 2, we determined which of these two rules to choose by trying to unify the first atom t with the head Hi of the corresponding clause. But as demonstrated by Ex. 2, in the abstract case we might need to apply Eval for some concretizations and Backtrack for others.

Backtrack can be used for all concretizations of our abstract state if t does not unify with H_i or if their mgu contradicts U. This gives rise to the abstract Backtrackrule in the following definition. When the abstractBacktrackrule is not applicable, we still cannot be sure thattγunifies withH_ifor all concretizations γ. Thus, we have an abstract Evalrule with two successor states that combines both the concreteEvaland the concreteBacktrackrule.

Definition 7 (Abstract Inference Rules – Part 2 (Backtrack,Eval)) (t, Q)ⁱ_m|S;KB

S;KB (Backtrack) where ci = Hi ← Bi and there is no con- cretizationγ w.r.t.KB such thattγ∼Hi. (t, Q)ⁱ_m|S; (G,U)

B_i⁰σ, Qσ|Sσ_|G; (G⁰,Uσ_|G) S; (G,U ∪ {(t, Hi)})^(Eval)

where ci = Hi ← Bi and mgu(t, Hi) = σ. W.l.o.g., V(σ(X)) only contains fresh abstract variables for allX ∈ V. Moreover,G⁰ =A(Range(σ_|G)) andB_i⁰ =Bi[!/!m].

Before explaining theEvalrule in detail, we illustrate the above definition with a first example without variables. The example shows that although the abstract Evalrule has a second child which corresponds to a backtrack step, the additional abstract Backtrack rule is also needed. Otherwise, even if the clause Hi ← Bi

cannot be applied to any concretization of the current abstract goal (e.g., because

of a cut), we would always have to generatetwo children with theEvalrule (one for the successful application of the clause and one for backtracking). In this way, instead of a short finite tree that ends with failure, we would obtain an infinite tree.

Example 3

To see this, consider the following program:

p ← !. (9) p ← p. (10)

Without the abstractBacktrackrule, we would obtain the following tree from the initial state (p; (∅,∅)). Here, the edge to the left child of the Eval node is marked by the corresponding mgu (which is the identity idin our example).

p; (∅,∅)

p⁹₁|p¹⁰₁ |?1; (∅,∅) Case

!₁|p¹⁰₁ |?₁; (∅,∅) id Eval

p¹⁰₁ |?1; (∅,{(p,p)}) Eval

2|?₁; (∅,∅) Cut

p|?₁; (∅,{(p,p)}) id Eval

?₁; (∅,{(p,p)}) Eval

?1; (∅,∅) Suc

p⁹₂|p¹⁰₂ |?₂|?1; (∅,{(p,p)}) Case

ε; (∅,{(p,p)}) Fail

ε; (∅,∅) Fail

. . . id Eval

. . . Eval

Note that in the rightmost node marked with “. . . ”, one would again apply the Eval rule etc. which would lead to an infinite tree. The reason is that in theEvalrule one does not take into account that no concretization of the current abstract goal would unify with any head of a program clause (sinceEvaldisregards the information in the set U which in our case states thatp may not unify with p; i.e., in our case there is no possible concretization of this abstract state). So instead of the Eval rule, we should rather apply the Backtrack rule to the state (p¹⁰₁ |?1; (∅,{(p,p)})) which would result in the only child (?1; (∅,{(p,p)})).

Another step with the Fail rule would then give the final state (ε; (∅,{(p,p)})), i.e., the resulting tree would be finite.

In the abstract Eval rule, the knowledge base is updated differently for the successors corresponding to the concrete Eval and to the concrete Backtrack rule. For all concretizations corresponding to the second successor of Eval, the concretization of tdoes not unify with Hi. Hence, here we add the pair (t, Hi) to the setU.

Now consider concretizations γ where tγ and Hi unify, i.e., concretizations γ

corresponding to the first successor of theEvalrule. Then for anyT ∈ G,T γ is a ground instance ofT σ. Hence, we replace all T ∈ G byT σ, i.e., we applyσ_|G toU and S. Now the new setG⁰ of abstract variables that may only be instantiated by ground terms isA(Range(σ_|G)). As before,t is replaced by the instantiated clause bodyBi where we label cuts with the numberm of the currentCaseanalysis.

In the Eval rule, w.l.o.g. we assume that mgu(t, H_i) renames (a) all abstract variables and (b) also all non-abstract variables to fresh abstract variables. As illustrated by the following two examples, this is needed to handle “sharing” effects correctly, i.e., to handle concretizations which introduce multiple occurrences of (concrete) variables.

Example 4

We first illustrate the need for (b), i.e., for the renaming of non-abstract variables into fresh abstract variables. Consider the following program.

p(a). (11) p(b). (12) q(c) ← !. (13) q(X) ← q(X). (14) Regard the abstract state ((p(T),q(X))¹¹₁ ; (∅,∅)) with T ∈ A and X ∈ N. It has the concretization (p(X),q(X))¹¹₁ which results from instantiating the abstract variable T with the concrete variable X. So now the instantiation of T “shares”

the variableX which was already present in the abstract state. Using the concrete Evalrule, the state (p(X),q(X))¹¹₁ can be transformed intoq(a). However, if we did not rename concrete variables, then the abstract Evalrule would only transform the abstract state ((p(T),q(X))¹¹₁ ; (∅,∅)) into (q(X); (∅,∅)). Now the simulation property would be violated since q(a) is not a concretization of (q(X); (∅,∅)), as concretizations may not instantiate non-abstract variables likeX. In fact, the state q(a) is non-terminating, whereas (q(X); (∅,∅)) is terminating and thus, theEval rule would no longer be sound. In contrast, when using unifiers that rename all concrete variables to fresh abstract variables as in Def. 7, the abstract Evalrule yields the state (q(T⁰); (∅,∅)) whereT⁰ is a fresh abstract variable.

Example 5

Now we illustrate the need for (a), i.e., for the renaming of abstract variables. We use the same program as in Ex. 4 and consider the abstract state ((p(X),q(T))¹¹₁ | (p(X),q(T))¹²₁ ; (∅,∅)). It has the concretization ((p(X),q(X))¹¹₁ |(p(X),q(X))¹²₁ ) which results from instantiating the abstract variable T with the concrete vari- able X. So now also the two instantiations of T “share” the variable X. Since these two instantiations belong to two different backtracking alternatives, it should be possible to instantiate the variable X differently in these two alternatives.

Using the concrete Eval rule, the state ((p(X),q(X))¹¹₁ | (p(X),q(X))¹²₁ ) can be transformed into (q(a) | (p(X),q(X))¹²₁ ). However, if we did not rename ab- stract variables, then the abstract Eval rule would transform the abstract state ((p(X),q(T))¹¹₁ |(p(X),q(T))¹²₁ ; (∅,∅)) into (q(T) |(p(X),q(T))¹²₁ ; (∅,∅)). Now the simulation property would be violated since (q(a) | (p(X),q(X))¹²₁ ) is not a concretization of (q(T)|(p(X),q(T))¹²₁ ; (∅,∅)). To solve this problem, we use uni- fiers that rename all abstract variables into fresh ones. Then the abstractEvalrule would create the new abstract state (q(T⁰)|(p(X),q(T))¹²₁ ; (∅,∅)) instead.

With the rules of Def. 6 and 7, the simulation property is fulfilled. It guarantees that any concrete state-derivation with the rules from Def. 2 can also be simulated with the abstract rules from Definitions 6 and 7.

Now any concrete derivation with the rules from Def. 2 can also be simulated with the abstract rules from Def. 6 and 7. But unfortunately, even for terminat- ing goals, in general these rules yield an infinite tree. The reason is that there is no bound on the size of terms represented by the abstract variables and hence,

p(T1 ); ({T1},∅)

p(T1 )15

1 |?1; ({T1},∅) Case

?1; ({T1},{(p(T1 ),p(s(X)))}) Eval

ε; ({T1},{(p(T1 ),p(s(X)))}) Fail p(T2 )|?1; ({T2},∅)

T1/s(T2 ) Eval

p(T2 )15

2 |?2|?1; ({T2},∅) Case

?2|?1; ({T2},{(p(T2 ),p(s(X)))}) Eval

p(T3 )|?2|?1; ({T3},∅) T2/s(T3 ) Eval

. . . Case

. . . Fail

the abstractEval rule can be applied infinitely often.

Example 6

Consider the 1-rule program p(s(X))←p(X). (15) For queries of the form p(t) wheretis ground, the program terminates. However, the tree built using the abstract infer- ence rules is obviously infinite.

4 From Trees to Graphs

To obtain a finite graph instead of an infinite tree, we now introduce an additional Instance rule which allows us to connect the current state (S;KB) with a previ- ous state (S⁰;KB⁰), provided that the current state is an instance of the previous state. In other words, every concretization of (S;KB) must be a concretization of (S⁰;KB⁰). Still,Instance is often not enough to obtain a finite graph.

Example 7

We extend Ex. 6 by the following additional fact.

p(X). (16)

For queries p(t) where t is ground, the program still terminates. If we start with (p(T1); ({T1},∅)), then the Case rule results in the state (p(T1)¹⁵₁ |p(T1)¹⁶₁ |?1; ({T1},∅)) and theEvalrule produces two new states, one of them being (p(T₂)| p(s(T2))¹⁶₁ |?1; ({T2},∅)).

To simplify states, from now on we will eliminate so-callednon-activemarks ?_m which occur as first or as last element in states. Eliminating ?mfrom the beginning of a state is possible, as Fail would also remove such a ?m. Eliminating ?m from the end of a state is possible, as applying the firstCutrule to a state ending in ?m

is equivalent to applying the second Cutrule to the same state without ?m. We will also reduce the knowledge base to just those abstract variables that occur in the state and remove pairs (s, s⁰) from U where s 6∼ s⁰. Still, (p(T2) | p(s(T₂))¹⁶₁ ; ({T₂},∅)) is not an instance of the previous state (p(T₁); ({T₁},∅)) due to the added backtrack goalp(s(T2))¹⁶₁ . In other words, as soon as there is more than one clause for some predicate p, then each application of theCase rule produces

p(T1 ); ({T1},∅)

p(T1 )15 1 |p(T1 )16

1 ; ({T1},∅) Case

p(T1 )16

1 ; ({T1},∅) Parallel

p(T1 )15 1 ; ({T1},∅)

Parallel

p(T2 ); ({T2},∅) T1/s(T2 ) Eval Instance

ε; (∅,∅) Eval

2; (∅,∅) Eval T1/T2

ε; (∅,∅) Eval

ε; (∅,∅) Suc

an additional backtracking tar- get. For this reason, the new state is not an instance of any previous state. Therefore, we now introduce a Parallel rule that allows us to split a back- tracking sequence into separate problems. Now we obtain the graph on the right.

Clearly,Parallel may transform terminating into non-terminating states. For example, in the program with the clause p ← p, the state ( !1 | p; (∅,∅)) is ter- minating, but theParallel rule could transform it into ( !1; (∅,∅)) and the non- terminating state (p; (∅,∅)). But without further conditions,Parallelis not only

“incomplete”, but also unsound. Consider a state ( !2|!1|?2|p; (∅,∅)) for the pro- gramp←p. The state is not terminating, as !₁is not reachable. Thus, one eventu- ally evaluates p. But if one splits the state into (!2; (∅,∅)) and (!1|?2|p; (∅,∅)), both new states terminate. So the problem is that due to the splitting of the back- tracking sequence, we can suddenly reach the cut !1 that is unreachable in reality and thereby we can cut away the non-terminating partp.

To solve this problem, in addition to the “active marks” (cf. Ex. 7) we introduce the notion of active cuts. The active cuts of a state S are thosem ∈N where !_m occurs inSor where !mcan be introduced byEvalapplied to a labeled goal (t, q)ⁱ_m occurring inS. Now theParallelrule may only split a backtracking sequence into two partsS andS⁰ if the active cuts ofS and the active marks ofS⁰ are disjoint.

Definition 8 (Abstract Inference Rules – Part 3 (Instance,Parallel)) S; (G,U)

S⁰; (G⁰,U⁰) (Instance) if there is a µ such that S = S⁰µ, µ|_N is a variable renaming,V(T µ)⊆ G for allT ∈ G⁰, andU⁰µ⊆ U.

S|S⁰;KB

S;KB S⁰;KB ^(Parallel) ifAC(S)∩AM(S⁰) =∅

p(T1 ); ({T1},∅)

p(T1 )17 1 ; ({T1},∅)

Case

p(T2 ),q; ({T2},∅) T1/s(T2 ) Eval

ε; (∅,∅) Eval

p(T2 )17

2 ,q; ({T2},∅) Case

ε; (∅,∅) Eval

p(T3 ),q,q; ({T3},∅) T2/s(T3 ) Eval

. . . Case

Theactive cuts AC(S) are allmwhere !_mis inS or (t, q)ⁱ_mis inSandci’s body has a cut. Theactive marks AM(S) are allmwhereS=S⁰|?m|S⁰⁰and S⁰6=ε6=S⁰⁰.

Example 8

However, there are still examples where the graph cannot be “closed”. Consider the program

p(s(X))←p(X),q. (17) q. (18) For queries p(t) where t is ground, the program again terminates. With Def. 6, 7, and 8, we obtain the infinite tree on the right. It never encounters

an instance of a previous state, since each resolution with Clause (17) adds aqto the goal.

Thus, we introduce a final abstract Split rule to split a state (t, Q;KB) into (t;KB) and a state (Qµ;KB⁰), whereµapproximates the answer substitutions for t. The edge from (t, Q;KB) to (Qµ;KB⁰) is labeled with µ|_V(t)∪V(Q). To simplify the Split rule, we only define it for backtracking sequences of one element. To obtain such a sequence, we can use theParallelrule.

Definition 9 (Abstract Inference Rules – Part 4 (Split)) t, Q; (G,U)

t; (G,U) Qµ; (G⁰,Uµ) ^(Split)

whereµreplaces all variables fromV \G by fresh abstract variables andG⁰=G ∪ ApproxGnd(t, µ).

Here, ApproxGnd is defined as follows. We assume that we have a groundness analysis functionGround_P : Σ×2^N →2^N, see, e.g., (Howe and King 2003). If p is an n-ary predicate, {i1, . . . , im} ⊆ {1, . . . , n}, andGroundP(p,{i1, . . . , im}) = {j1, . . . , jk}, then any successful derivation p(t1, . . . , tn) `^∗_P,θ 2 where ti₁, . . . , ti_m

are ground will lead to an answer substitutionθsuch thatt_j1θ, . . . , t_jkθare ground.

SoGround_P approximates which positions ofpwill become ground if the “input”

positionsi₁, . . . , i_mare ground. Now ift=p(t₁, . . . , t_n) is an abstract term where ti₁, . . . , ti_m are ground in every concretization (i.e., all their variables are fromG), then ApproxGnd(t, µ) returns the µ-renamings of all abstract variables that will be ground in every successful derivation starting from a concretization oft. Thus, ApproxGnd(t, µ) contains the abstract variables oftj₁µ, . . . , tj_kµ. So formally

ApproxGnd(p(t₁, . . . , t_n), µ) ={A(tjµ)|j ∈Ground_P(p,{i| V(t_i)⊆ G})}

Example 9

To illustrate Def. 9, regard the program of Ex. 1 and the state (sub(T₅, T₆, T₈), div(T8, T6, T7); ({T5, T6},U)) with T5, T6, T7, T8 ∈ A. (This state will occur in the termination proof ofdiv, cf. Ex. 10.) We haveG={T₅, T₆}and hence ifsub(t₁, t₂, t₃) is sub(T5, T6, T8), then GroundP(sub,{i | V(ti) ⊆ G}) = GroundP(sub,{1,2}) = {1,2,3}. In other words, if the first two arguments of sub are ground and the derivation is successful, then the answer substitution also instantiates the third ar- gument to a ground term. Sinceµonly renames variables outside ofG, we haveµ=

p(T1 ); ({T1},∅)

p(T1 )17 1 ; ({T1},∅)

Case

ε; (∅,∅) Eval

p(T2 ),q; ({T2},∅) T1/s(T2 ) Eval

p(T2 ); ({T2},∅) Split Instance

q; (∅,∅) Split

id

q18 2 ; (∅,∅)

Case

ε; (∅,∅) Eval

2; (∅,∅) id Eval

ε; (∅,∅) Suc

{T₇/T₉, T₈/T₁₀}.

SoApproxGnd(sub(T5, T6, T8), µ) = {A(t₁µ),A(t₂µ),A(t₃µ)} = {T₅µ, T6µ, T8µ} = {T5, T6, T10}. So the Split rule transforms the current state to (sub(T₅, T₆, T₈); ({T5, T₆},U)) and (div(T10, T6, T9); ({T5, T6, T10}, Uµ)) where one can eliminateT₅from the new groundness setG⁰.

With the additionalSplit rule, we can always obtain finite graphs in- stead of infinite trees. (This will be

proved in Thm. 2.) Thus, no further rules are needed. As depicted on the previous page, now we can also close the graph for Ex. 8’s program.

Thm. 1 proves the soundness of all our abstract inference rules. In other words, if all children of a node are terminating, then the node is terminating as well.

Theorem 1(Soundness of the Abstract Inference Rules) The inference rules from Def. 6, 7, 8, and 9 are sound.³

5 From Termination Graphs to Logic Programs

Now we introducetermination graphsas a subclass of the graphs obtained by Def. 6, 7, 8, 9. Then we show how to extract cut-free programs from termination graphs.

Definition 10(Termination Graph)

A finite graph built from an initial state (S;KB) using Def. 6, 7, 8, and 9 is a termination graph iff there is no cycle consisting only of Instance edges and all leaves are of the form (ε;KB⁰) or (X, Q|S;KB⁰) withX ∈ V. If there are no leaves of the form (X, Q|S;KB⁰), then the graph is “proper”.

We want to generate clauses for the loops in the termination graph and show their termination. Thus, there should be no cycles consisting only of Instanceedges, as they would lead to trivially non-terminating clauses. Moreover, the only leaves of the graph may be nodes where no inference rule is applicable anymore (i.e., the graph must be “fully expanded”). Hence, leaves can only be nodes where the state consists only of the empty backtracking sequence ε or where the first goal of the backtracking sequences starts with a variable. For example, the graph at the end of Sect. 4 is a termination graph. Thm. 2 shows that termination graphs can always be obtained automatically.

Theorem 2(Existence of Termination Graphs)

For any programP and abstract state (S;KB), there exists a termination graph.

Example 10

For the program from Ex. 1 we obtain the termination graph on the next page.

Here, U ={(div(T5, T6, T3),div(X,0, Z)),(div(T5, T6, T3),div(0, Y, Z))}results from exploiting the cuts.Uimplies that neitherT₆norT₅unify with0. Thus, only Clause (8) is applicable to evaluate the state in Node d. This is crucial for termination, because in d, sub’s resultT₈ is always smaller thansub’s input argument T₅ and therefore,div’s first argument in Nodecis smaller thandiv’s first argument in Node a.

3 For all proofs, we refer to the appendix.

div(T1, T2, T3 ); ({T1, T2},∅) a

div(T1, T2, T3 )1

1|div(T1, T2, T3 )2

1|div(T1, T2, T3 )3

1 ; ({T1, T2},∅) Case

!1,fail|div(T4,0, T3 )2

1|div(T4,0, T3 )3 ({T4},∅) 1 ;

Eval T1/T4, T2/0, T3/T5

fail; (∅,∅) Cut

ε; (∅,∅) Case

div(T1, T2, T3 )2

1|div(T1, T2, T3 )3 ({T1, T2},{(div(T1, T2, T3 ),div(X,1 ;0, Z))})

Eval

!1,eq(T5,0)|div(0, T4, T3 )3 ({T4},{(div(0, T4, T3 ),div(X,0, Z))})1 ;

Eval T1/0, T2/T4, T3/T5

eq(T5,0); (∅,∅) Cut

eq(T5,0)54 ; (∅,∅) Case

2; (∅,∅) b

Eval T5/0

ε; (∅,∅) Suc

ε; (∅,∅) Eval

div(T1, T2, T3 )3

1 ; ({T1, T2},{(div(T1, T2, T3 ), div(X,0, Z)),(div(T1, T2, T3 ),div(0, Y, Z))})

Eval

sub(T5, T6, T8 ),div(T8, T6, T7 ); ({T5, T6},U) Eval T1/T5, T2/T6, T3/s(T7 )

ε; (∅,∅) Eval

sub(T5, T6, T8 ); ({T5, T6},U) d

Split

div(T10, T6, T9 ); ({T6, T10},U 0) c

Split T7/T9, T8/T10

Instance

sub(T5, T6, T8 )6

2|sub(T5, T6, T8 )7

2|sub(T5, T6, T8 )8

2 ; ({T5, T6},U) Case

sub(T5, T6, T8 )7

2|sub(T5, T6, T8 )8

2 ; ({T5, T6},U) Backtrack

sub(T5, T6, T8 )8

2 ; ({T5, T6},U) Backtrack

sub(T9, T10, T11 ); ({T9, T10},∅) e

Eval T5/s(T9 ), T6/s(T10 ), T8/T11

ε; (∅,∅) Eval

sub(T9, T10, T11 )6

3|sub(T9, T10, T11 )7

3|sub(T9, T10, T11 )8

3 ; ({T9, T10},∅) Case

sub(T9, T10, T11 )6

3 ; ({T9, T10},∅)

Parallel

sub(T9, T10, T11 )7

3|sub(T9, T10, T11 )8

3 ; ({T9, T10},∅) Parallel

2; (∅,∅) f

Eval

T9/0, T10/T12, T11/0

ε; (∅,∅) Eval

sub(T9, T10, T11 )7

3 ; ({T9, T10},∅) Parallel

sub(T9, T10, T11 )8

3 ; ({T9, T10},∅) Parallel ε; (∅,∅)

Suc

2; (∅,∅) g

Eval T9/T12, T10/0, T11/T12

ε; (∅,∅) Eval

sub(T12, T13, T14 ); ({T12, T13},∅) h

Eval T9/s(T12 ), T10/s(T13 ), T11/T14

Instance

ε; (∅,∅) Eval

ε; (∅,∅) Suc

Remember that our goal is to show termination of the initial state of the graph.

Since the graph only has leaves (ε;KB) that are obviously terminating, by sound- ness of the inference rules, it remains to prove that there is no state-derivation which would correspond to an infinite traversal of the cycles in the graph. So in our example, we have to show that the Instanceedges for divandsub cannot be traversed infinitely often.

We now synthesize a cut-free program from the termination graph. This program has the following property: if there is a state-derivation from a concretization of one state to a concretization of another state which may be crucial for non-termination, then there is a corresponding derivation in the obtained cut-free program.

More precisely, we build clauses for all clause paths. For a termination graph G, let Instance(G) denote all nodes of G to which the rule Instance has been applied (i.e.,candhin our example). The sets Split(G) andSuc(G) are defined analogously. For any noden, letSucc(i, n) denote thei-th child ofn. Clause paths are paths in the graph that start in the root node, in the successor node of an Instance node, or in the left child of a Split node and that end in a Suc or Instance node or in the left child of anInstance orSplitnode.

Definition 11(Clause Path)

A pathπ=n₁. . . n_k inGis aclause path iffk >1 and

• n1∈Succ(1,Instance(G)∪Split(G)) orn1 is the root ofG,

• nk∈Suc(G)∪Instance(G)∪Succ(1,Instance(G)∪Split(G)),

• for all 1≤j < k, we havenj 6∈Instance(G), and

• for all 1< j < k, we havenj 6∈Succ(1,Instance(G)∪Split(G)).

Since we only want finitely many clause paths, they may not traverseInstance edges. Clause paths may also not follow left successors of Instance or Split. Instead, we create new clause paths starting at these nodes. In our example, we have clause paths fromatob,ato c,a tod,d toe,e tof,eto g, ande toh.

To obtain a cut-free logic program, we construct one clause for each clause path π =n₁. . . n_k. The head of the new clause corresponds to n₁ where we apply the relevant substitutions betweenn1 and nk. The last body atom corresponds to nk. The intermediate body atoms correspond to those nodes that are left children of those ni which are from Split(G). Note that we apply the relevant substitutions betweenn_i andn_k to the respective intermediate body atom as well.

In our example, the path froma tobis labeled by the substitution σ={T1/0, T2/T4, T3/0, T5/0}. Hence, we obtain the factdiv_a(T1, T2, T3)σ=div_a(0, T4,0). We always use a new predicate symbol when translating a node into an atom of a new clause (i.e., div_a is fresh). Instance nodes are the only exception. There, we use the same predicate symbol both for theInstance node and its successor.

For the path fromatoc, we have the substitutionσ⁰={T1/T5, T2/T6, T3/s(T9), T₇/T₉, T₈/T₁₀}. Right children of Split nodes can only be reached if the goal in the left Split-child was successful. So sub(T5, T6, T8)σ⁰ must be derived to 2 before the derivation can continue with div. Thus, we obtain the new clause div_a(T₅, T₆,s(T₉))←sub_d(T₅, T₆, T₁₀),div_a(T₁₀, T₆, T₉). Note that we used the same symboldiv_a for both occurrences ofdiv as they are linked by anInstance edge.

Continuing in this way, we obtain the following logic program for which we have to show termination w.r.t. the set of queries{div_a(t1, t2, t3)|t1, t2are ground}, as specified by the knowledge base in the root nodea.

div_a(0, T4,0).

div_a(T5, T6,s(T9)) ← sub_d(T5, T6, T10),div_a(T10, T6, T9). (19) div_a(T₅, T₆,s(T₇)) ← sub_d(T₅, T₆, T₈).

sub_d(s(T9),s(T10), T11) ← sub_e(T9, T10, T11).

sub_e(0, T₁₂,0).

sub_e(T12,0, T12).

sub_e(s(T12),s(T13), T14) ← sub_e(T12, T13, T14).